Solved: remove infected system files ?

wello83 · 27-Feb-2008, 03:40 AM #1

my AVG once iv installed it, it found some infected files but wn i try to remove it, it pops a warning that the removal might cause a system crash or wt so ever ..
so what shall i do ... do i have to provide any other information ?
i use win XP SP2

thanks in advance

**Byteman** · 28-Feb-2008, 03:44 PM #2

Can you post the results you got from AVG so we can see what they might be?

Also, do this:

go to Click here to download HJTsetup.exe

On that page, select one of the servers in the list under the Free Downloads heading
Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then save the log and then the log will open in Notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Paste the log in your next reply.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

_ _ _ _
Please also do this:

Open Hijack This and click on the "Open the Misc Tools section" button.
Click on the "Open Uninstall Manager" button.
Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad.
Copy and paste that list here in your reply

wello83 · 28-Feb-2008, 07:49 PM #3

other information i can provide :

very slow & unreasonable internet connection.
don't know how to provide u with the AVG results but i think the autorun.inf in every drive is infected.
i've used regcure & spyware doctor.... they fix things but with out any noticeable effect on my performance.
i ran an online scan with trend micro but it crashed at the end and did not complete because of the slow connection i think ...note that i'm suppose to have a speed of 1024\256 kbps

heres the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:38:07 AM, on 2/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\SkyTel.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit (mi-raysat_3dsMax2008_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6858 bytes

-----

thank u for helping

**Byteman** · 10:38 PM

Hi,

Where did you get AVG 8> A public beta? Or, AVG Internet Security 8....version you bought?

I am looking around, and do see quite a bit about slowdowns with it.

(And, in general, these full-featured suites do put a burden on computer resources, especially in the first day or two of use but the issue is supposed to decrease as you go on....)

You didn't get this part of my reply:

Please also do this:

Open Hijack This and click on the "Open the Misc Tools section" button.
Click on the "Open Uninstall Manager" button.
Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad.
Copy and paste that list here in your reply

I need that to help you--have to know the exact name of AVG 8 there are several different types

Here's the main FAQ section in Support> http://www.grisoft.com/ww.faq.num-436#faq_436

I did find this in the Technical FAQ section for AVG Internet Security 8:which may not be exactly what you have there....

Quote from http://www.grisoft.com/ww.faq.num-170#faq_170

item 687:Computer is slow after AVG Internet Security installation::

It is possible that your computer works slower after AVG Internet Security installation. The AVG Internet Security edition (which includes all available security components) does contain many improvements and enhancements, which require more computer resources. Also the new AVG 7.5 edition detects more polymorphic viruses, (a very difficult and time consuming operation). However, AVG 7.5 is optimized to consume minimal computer memory. Of course the speed mainly depends on your computer's configuration.

If the computer is slow while an AVG Complete Test is running, you can try to speed up your computer as follows:

1. By running the Disk Defragmenter (Start -> Programs -> Accessories -> System Tools -> Disk Defragmenter)

2. Also, please try to change the priority of the default test. You can do it this as follows:

launch AVG Test Center
click on the "Program" menu
choose "Switch to Advanced interface" option
click on "Tests" menu
choose "Test Manager" option
mark the "Complete Test" and and click on the "Edit" button
choose the "Advanced" option on the left side
set up the priority to "Low"
you can also set up gaps between testing individual files (bigger gaps = slower test but the computer resources are not used so much)

3. It is possible to speed up your computer by disabling the detection of Potentially Unwanted Programs (PUP):

open AVG Control Center
use double-click on the "Resident Shield" component
uncheck the "Scan Potentially Unwanted Programs" option
save this settings by clicking on the "OK" button

Generally, the best option is the put any infected files in the Virus Vault or Quarantine area....when an alert comes up, or you are scanning and a virus detected message comes up...don't just delete them.

In your situation though, these may be false detections>> it's a new program and these are going to happen. I would just wait and see if their Support can offer any help. You will have to give us some idea of what the filenames, and locations, were detected.

Have a look at this page of the FAQ's:

http://www.grisoft.com/ww.faq.num-419#faq_419

wello83 · 10:47 PM

sorry didn't c that part earlier... but here it is :

µTorrent
3dsmax ancillary install
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Common File Installer
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 1.0
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Fonts All
Adobe Help Center 2.0
Adobe Help Viewer CS3
Adobe Illustrator CS2
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS2
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Premiere Pro FC
Adobe Production Studio
Adobe Reader 7.0
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Stock Photos 1.0
Adobe Stock Photos 1.0
Adobe Stock Photos CS3
Adobe SVG Viewer 3.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Autodesk 3ds Max 2008 32-bit
Autodesk 3ds Max 2008 32-bit Additional Maps and Material Libraries
Autodesk 3ds Max 2008 32-bit Architectural Materials Library
Autodesk 3ds Max 2008 32-bit Help
Autodesk 3ds Max 2008 32-bit Vault 2008 Plug-In
Autodesk 3ds Max 2008 32-bit Vault 5 Plug-In
Autodesk 3ds Max 2008 32-bit Videos
Autodesk 3ds Max 9 32-bit
Autodesk DWF Viewer 7
AVG 8.0
Backburner
DivX Codec
DivX Converter
FBX Plugin 2006.08 for Max 9.0
FBX Plugin 2006.11.1 for Max 2008
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 2.0 (KB918842)
J2SE Runtime Environment 5.0 Update 3
Java(TM) 6 Update 3
LimeWire PRO 4.14.10
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Microsoft .NET Framework 2.0
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.12)
MSXML 6.0 Parser
Nero 8 Demo
neroxml
NVIDIA Drivers
PDF Settings
QuickTime
Real Alternative 1.31
Realtek High Definition Audio Driver
RegCure 1.5.0.0
SUPERAntiSpyware Free Edition
Turbo Squid Tentacles 3ds Max 2008
Update for Windows XP (KB898461)
VCRedistSetup
VideoLAN VLC media player 0.8.4
V-Ray for 3dsmax R9 for x86
Web Sudoku Deluxe 1.2
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
WinRAR archiver
WinSoftMEsti
Yahoo! Messenger

------

about AVG i've installed it after mcafee showed inefficiency due to my slowdown and earlier viruses... like drivers that do not open normaly and can't unhide hidden infected files from the folder options . it was advised from a friend i got from...
"AVG Anti-Virus v8 Pro" . and the exe file name is "avg80f_62a1257.exe" . and in the AVG title bar : "AVG Internet Security - Release Candidate"
i think its that one :
www.grisoft.com/ww.download?prd=ais#tba1

thanks for helping

**Byteman** · 29-Feb-2008, 01:20 AM #6

Hi, OK I don't see anything wrong in the log.

I would say, best thing to do is an online scan--make sure that when the scan completes, you save the report/results of scan and post them.

Housecall online scan:
http://www.trendsecure.com/portal/en...security_tools

Or this one: Kaspersky online full scan

Please go HERE and click Free Online Scanner
Read and Accept the Agreement
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
If you see a Windows dialog asking if you want to install this software, click the Install button.
The program will launch and then begin downloading the latest definition files,
When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
Copy and Paste the contents of the on line scanner results into a Reply here in your thread, along with a new HJT log and log from any other scans you run.

That will give me the filenames and locations so I can tell what to do.

wello83 · 29-Feb-2008, 02:52 PM #7

i've done a kaspersky online scan but i don't know if it got any healing options .., anyway here's the report u asked for :
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, February 29, 2008 9:42:38 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/02/2008
Kaspersky Anti-Virus database records: 542949
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 167560
Number of viruses found: 2
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 03:02:18

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\emc\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\AvgAm\avgam.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgfw8u.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgam.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgns.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\commonpub.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\commonpriv.log Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U3ZMZF5Z\w[1].bin Infected: Trojan-Downloader.Win32.Delf.evt skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\sherif compumood\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\sherif compumood\Local Settings\Temp\IMG9.tmp Object is locked skipped
C:\Documents and Settings\sherif compumood\Local Settings\Temp\fla24.tmp Object is locked skipped
C:\Documents and Settings\sherif compumood\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\sherif compumood\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\sherif compumood\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\sherif compumood\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\sherif compumood\Local Settings\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\sherif compumood\Local Settings\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\sherif compumood\Local Settings\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\sherif compumood\Local Settings\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\sherif compumood\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\sherif compumood\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\sherif compumood\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\sherif compumood\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\sherif compumood\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\sherif compumood\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\foxmarks.log Object is locked skipped
C:\Documents and Settings\sherif compumood\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\cert8.db Object is locked skipped
C:\Documents and Settings\sherif compumood\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\key3.db Object is locked skipped
C:\Documents and Settings\sherif compumood\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\parent.lock Object is locked skipped
C:\Documents and Settings\sherif compumood\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\GoogleToolbarData\googlesafe browsing.db Object is locked skipped
C:\Documents and Settings\sherif compumood\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\history.dat Object is locked skipped
C:\Documents and Settings\sherif compumood\Application Data\Mozilla\Firefox\Profiles\qao92mga.default\search.sqlite Object is locked skipped
C:\Documents and Settings\sherif compumood\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-2-29-2008( 5-51-39 ).LOG Object is locked skipped
C:\Documents and Settings\sherif compumood\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\sherif compumood\.housecall6.6\log\execution0.log Object is locked skipped
C:\Documents and Settings\sherif compumood\.housecall6.6\log\error0.log Object is locked skipped
C:\Documents and Settings\sherif compumood\.housecall6.6\log\engine0.log Object is locked skipped
C:\Documents and Settings\sherif compumood\.housecall6.6\log\execution0.log.lck Object is locked skipped
C:\Documents and Settings\sherif compumood\.housecall6.6\log\error0.log.lck Object is locked skipped
C:\Documents and Settings\sherif compumood\.housecall6.6\log\engine0.log.lck Object is locked skipped
C:\Program Files\Nero\Nero8\Nero BackItUp\BIU1.txt Object is locked skipped
C:\autorun.inf Infected: Trojan-PSW.Win32.OnLineGames.psv skipped
C:\System Volume Information\_restore{104BAC1A-7312-4EC6-901C-C7B6EE7B6299}\RP72\A0015817.SYS Infected: Trojan-Downloader.Win32.Delf.evt skipped
C:\System Volume Information\_restore{104BAC1A-7312-4EC6-901C-C7B6EE7B6299}\RP73\change.log Object is locked skipped
D:\autorun.inf Infected: Trojan-PSW.Win32.OnLineGames.psv skipped
E:\autorun.inf Infected: Trojan-PSW.Win32.OnLineGames.psv skipped
E:\System Volume Information\_restore{104BAC1A-7312-4EC6-901C-C7B6EE7B6299}\RP68\A0013729.exe Object is locked skipped
E:\System Volume Information\_restore{104BAC1A-7312-4EC6-901C-C7B6EE7B6299}\RP68\A0013730.exe Object is locked skipped
F:\autorun.inf Infected: Trojan-PSW.Win32.OnLineGames.psv skipped
G:\autorun.inf Infected: Trojan-PSW.Win32.OnLineGames.psv skipped

Scan process completed.

------------------------------

hi again, so that was the report
i don't like that part about the infected autorun.inf because as i said i used to have problems with opening my drives

**Byteman** · 11:34 PM

Hi, No, Kaspersky Online scan does not heal or remove anything, we use it because it is a very thorough diagnostic and gives us a scan for all types of malware not just trojans and virii.

Here are the files we need to deal with: Do NOT delete them, yet.

Quote:

Number of viruses found: 2
Number of infected objects: 7
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U3ZMZF5Z\w[1].bin ------> Trojan-Downloader.Win32.Delf.evt
C:\autorun.inf ------> Trojan-PSW.Win32.OnLineGames.psv
C:\System Volume Information\_restore{104BAC1A-7312-4EC6-901C-C7B6EE7B6299}\RP72\A0015817.SYS ------> Trojan-Downloader.Win32.Delf.evt
D:\autorun.inf ------> Trojan-PSW.Win32.OnLineGames.psv
E:\autorun.inf ------> Trojan-PSW.Win32.OnLineGames.psv
F:\autorun.inf ------> Trojan-PSW.Win32.OnLineGames.psv
G:\autorun.inf ------> Trojan-PSW.Win32.OnLineGames.psv

Anyway- by "trouble opening drives" do you mean, that without an autorun.inf file in each they don't open? Are you meaning....hard drives or partitions, or > just USB flash drives, MP3 players....iPods...
and CD/DVD drives? Did drive C: ever give you trouble?

Let's experiment with one drive to start- remove all flash USB or USB external hard drives (don't just turn off, remove the cables)

Set your Folder Options>View and Search settings this way:

Quote:

Because XP will not always show you hidden files and folders by default, Go to Start > Search>Files and Folders>> and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Boot up in Safe Mode:

Copy these steps to a Notepad text file and save it as steps.txt to your desktop, or print them, as you will not be able to get online while working in Safe Mode (and, please do
not use Safe Mode with Networking for this fix!)
Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account and log on.

At the desktop:

Pick a drive letter but not C: that is a hard disk or partition, but not where Windows is installed, and not a CD drive, use Windows Explorer and navigate to (driveletter)\autorun.inf, (for example,) H:\autorun.inf

Right click the autorun.inf and select Properties, if it is marked read-only take the mark out.

Delete the autorun.inf file and empty the Recycle Bin.

Open My Computer> double click that same drive letter to see if it will open.

If it opens> check for a new autorun.inf file, one might have been automatically re-created...let me know if one does show up. Or, let me know autorun.inf is not there.

Restart the computer normally. Now, you need to again check that that same drive letter will open by a double click, let me know.

Let me know if it does not, and if an autorun.inf file is back on drive H: , or not there.

Post the details.

wello83 · 01-Mar-2008, 07:40 PM #9

Hi and thanks for ur efforts

,

now wn i said i "used" to have problems with opening my drives. i meant i had that problem before and explained as following :

wn ever i click to open any partition including the one with the windows and any other flash drives BUT not the CD\DVD drives it pops the "Open with dialougue box" and in the meantime the system was suffering slow in performance and internet connection .

Now that partition opening problem is gone suddenly don't know how .. maybe the AVG did something but the slow performance still exists, and then after the kaspersky scan i noticed that the infection in the "autorun.inf" is still there as well

---
about what u told me to do :

after deleting the autorun.inf in my "F" drive as instructed .
i clicked to open it, and it did open; and did NOTfind any other replaced autorun.inf file .
i restart in normal mode .. and the same ; the "F" drive opened with no trace of the autorun.inf .

let me know if anything is missing

thank u again

Note: i think the system is faster now but not as it used to be

**Byteman** · 01-Mar-2008, 08:25 PM **#10**

Hi,

Please do what is below- if you do not understand something, ask before using the tool.

Please also have all external or USB drives connected before using the tool.

SD FIX Runs only in Windows Safe Mode-

Please read all through the info so you know what will be done.
**Note that SDFix runs only in Safe Mode
**Also> any user account that you boot into, in Safe Mode, has to be at Administrator user level...
There is a Printable Version button up under the Thread Tools drop down menu that will let you print a nice text version of these instructions.
Alternate way to save directions:Open Notepad> Copy and Paste any text you wish into Notepad, and Save the file as something you will recognize like TSGhelp.txt and save it onto your desktop.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

wello83 · 02-Mar-2008, 07:40 AM **#11**

Hi,
here's a question b4 doing wt u've instructed :

u wrote in ur post; i have to enter in an administrator level. then in later lines u wrote enter ur usual account .."in the safe mode" part.

now here's my status; i'm the only user of my pc, i thought i have made an administration user account to make a windows password,.. but when i enter the safe mode there is an administrator account other than my usual account which has my password so i don't know if my usual account is administrative or not.

i don't know y there is another administration account that appears "ONLY" in the safe mode, so anyway which one should i enter ?

**Byteman** · 02-Mar-2008, 03:54 PM **#12**

There is a hidden user account called Administrator on XP Home Edition that does not show when you log on in Normal Mode.

*Don't use that one- you won't see your usual desktop and shortcuts, etc....

*Use your normal user account provided it is an administrator level account- here is how to tell:

When you start up in Normal Mode> your user account name has just underneath it: "Administrator" that means your account is not a Limited account, and that you should log on to that account in Safe Mode to do the work.

*The special Administrator account that you see in Safe Mode, has a blank password by default...that is, unless you or someone created one, there is no password for it. There is for your account, if you log on using a password.

* All user accounts when created are Administrator level - any account can be changed later to a Limited account, but if no one has done that, your account should be OK and have Administrator rights so try it out.

This should be your user account: sherif compumood

wello83 · 02-Mar-2008, 07:47 PM **#13**

Hi,
this is the SDFix report :

SDFix: Version 1.150

Run by sherif compumood on Mon 03/03/2008 at 02:04 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\autorun.inf - Deleted
C:\WINDOWS\system32\comsa32.sys - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 02:41:53
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"="C:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe:*:Enabled:Autodesk 3ds Max 2008 32-bit"
"C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"="C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe:*:Enabled:Autodesk 3ds Max 9 32-bit"
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"="C:\\Program Files\\Autodesk\\Backburner\\monitor.exe:*:Enabled:backburner 2.3 monitor"
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"="C:\\Program Files\\Autodesk\\Backburner\\manager.exe:*:Enabled:backburner 2.3 manager"
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"="C:\\Program Files\\Autodesk\\Backburner\\server.exe:*:Enabled:backburner 2.3 server"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\00766461b1b00d8469999536d8f8d6e4\ BIT35.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0091ab299e899a5920ad91739ad99c67\ BIT37.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1230492412c0d92c55a03b0de671f167\ BIT39.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\208c1a8c52f47d7b2df4baa21f58d3da\ BIT3C.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c9cdbfcd49200c55d94bb81819c80f2b\ BIT3E.tmp"
Tue 8 Jan 2008 6,934,488 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b6b8211a5dc0636ae3d15bf626ce10d3\ BIT4.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a120212db9f8797932f46def01672fc\ BIT3D.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0d4a7c846fe5e74c3056c3e240c1ffeb\ BIT9.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\52b72a8354f3c8a72b1aee0b2a11d368\ BIT17.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2abaeb659824de5967ddf7181c6befdb\ BIT1A.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d424e8f655073b64c82b6f4f138d5f7e\ BIT1E.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\86c1313b3b7233a513215d577f5db5c4\ BIT1F.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d378d94379aa314a2f8a03df7faef1bc\ BIT23.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\40a830826de015286a7a5523023b1e09\ BIT24.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4cc8107fde988bba1481bb736cc96c29\ BIT25.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\495213e4cb2a90b1fa5505a5fab8e00b\ BIT27.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ac396c0c2d53942a12157d0ad3c4135a\ BIT28.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e3c3121982c8a4d0c1605cfbcb9bb7c8\ BIT29.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d20fc1765c1d2a8e6c26cf77036ce48f\ BIT2D.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\080070f6461c8001578e5e4cd4bb024b\ BIT31.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6b5f9b6e24a379bdb34ad3589556de3e\ BIT33.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\33831624a2e810dc854ea2f820d0dd53\ BIT42.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa53e640686f7f15b5ee3f532304b804\ BIT44.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4b6ccd5ccf72ffca11e7f7e0165f2082\ BIT43.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c87932aedce288373d0b6a6c23f00c8a\ BIT46.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c1b0851ac9312d2f7e1ab716c11967b5\ BIT4A.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\da70638ee8e6f6c7eff37e755cd6f449\ BIT49.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\304c19f1612f37ffa8967147d3cb7464\ BIT4C.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\458b0ddf827cd2ca02539e5a3b1a3d3c\ BIT4F.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\29f79ad83880337acafe2a37966d9d29\ BIT4E.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a7407b49e4a15c0b9a45c0426de5360\ BIT4D.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\526e15b6e1b5300357490c8089b5f84e\ BIT52.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\410ff09308a833491dba7686f0aee2eb\ BIT57.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\55b5c397ff94db07e8c1c336efaf0a7b\ BIT59.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5652d934eec8bfa4dc68c4e256a23d5e\ download\BIT89.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\021bbe9f2a0e31da1414f03ea6d62389\ download\BIT34.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\aebb83db003f77a45671fd2c1557da38\ download\BIT62.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5379e5c681c265eb176cf4ee378a3a96\ download\BIT63.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\131ae35a2f5be2cefedd349d083bb253\ download\BIT64.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4387300ca1dcf29784a47c30e67cb637\ download\BIT65.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b3ba2a040ecf3ac2cd2da399851bda00\ download\BIT67.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f941c900a413f153861a4032214a1aec\ download\BIT7E.tmp"
Tue 8 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\512e19b377bd5d52a1e190ecbd7a83eb\ download\BIT7F.tmp"

Finished!

-----------------------

and this is the new HJT new log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:46:59 AM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SkyTel.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit (mi-raysat_3dsMax2008_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7799 bytes

---------------------------

thank u

**Byteman** · 02-Mar-2008, 08:48 PM **#14**

Hi, Good, that found a few things.

Do this please:

Run Hijackthis, Scan only this time...put checks next to these items on your scan window....CLOSE all Internet related and program windows, nothing open but Hijackthis....CLOSE this browser window, also...

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

When you have the items checked, click "Fix checked" to remove them.

Close Hijackthis.

Please read all through the info so you know what will be done.
Here are directions etc but I also have them below:
http://www.bleepingcomputer.com/comb...o-use-combofix

There is a Printable Version button up under the Thread Tools drop down menu that will let you print a nice text version of these instructions.
Alternate way to save directions:Open Notepad> Copy and Paste any text you wish into Notepad, and Save the file as something you will recognize like TSGhelp.txt and save it onto your desktop.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" in your next reply..And, after you are done posting the log from ComboFix....run Hijackthis again, Scan and Save a Log....post the brand new log

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
_ _ _ _ _ _ _

wello83 · 03-Mar-2008, 11:48 AM **#15**

Hi, i feel like a soldier here doing missions

so thats the combofix.txt :

ComboFix 08-03-03.12 - sherif compumood 2008-03-03 18:19:03.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1256.20.1033.18.1590 [GMT 2:00]
Running from: C:\Documents and Settings\sherif compumood\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drmgs.sys
D:\Autorun.inf
E:\Autorun.inf
G:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_PERFMONS
-------\LEGACY_ROUTING
-------\Routing

((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-03-03 02:02 . 2008-03-03 02:02 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-03 01:53 . 2008-03-01 13:18 <DIR> d-------- C:\SDFix
2008-03-03 01:33 . 2008-03-03 01:33 <DIR> d--hs---- C:\FOUND.004
2008-02-29 23:13 . 2008-02-29 23:13 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-29 22:52 . 2008-02-29 22:52 <DIR> d-------- C:\Program Files\Windows Live
2008-02-29 22:52 . 2008-02-29 22:53 <DIR> d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-29 22:52 . 2008-02-29 22:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-29 15:39 . 2008-02-29 15:40 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-29 15:39 . 2008-02-29 15:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-29 03:31 . 2008-02-29 03:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-29 03:30 . 2008-02-29 03:30 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-29 03:30 . 2008-02-29 03:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-29 03:30 . 2008-02-29 03:30 <DIR> d-------- C:\Documents and Settings\sherif compumood\Application Data\SUPERAntiSpyware.com
2008-02-28 17:37 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-28 01:56 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-02-28 01:33 . 2008-02-27 20:33 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-27 20:32 . 2008-02-27 20:32 <DIR> d-------- C:\Documents and Settings\sherif compumood\.housecall6.6
2008-02-27 19:43 . 2008-02-27 19:43 <DIR> d-------- C:\Program Files\RegCure
2008-02-27 17:46 . 2008-02-27 17:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DivX
2008-02-27 17:39 . 2008-02-27 17:39 <DIR> d--hs---- C:\FOUND.003
2008-02-26 23:39 . 2008-02-26 23:39 <DIR> d-------- C:\Documents and Settings\sherif compumood\Application Data\PC Tools
2008-02-26 22:58 . 2008-02-26 22:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-20 01:03 . 2008-02-20 01:03 <DIR> d--h----- C:\$AVG8.VAULT$
2008-02-20 00:49 . 2008-02-20 00:49 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-02-20 00:49 . 2008-02-20 00:49 <DIR> d-------- C:\Program Files\AVG
2008-02-20 00:49 . 2008-02-20 00:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-02-20 00:49 . 2008-02-20 00:49 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-02-20 00:49 . 2008-02-20 00:50 73,864 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-02-20 00:49 . 2008-02-20 00:49 45,568 --a------ C:\WINDOWS\system32\avgfwdx.dll
2008-02-20 00:49 . 2008-02-20 00:49 22,528 --a------ C:\WINDOWS\system32\drivers\avgfwdx.sys
2008-02-20 00:49 . 2008-02-20 00:50 14,104 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-02-20 00:49 . 2008-02-20 00:50 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-02-20 00:48 . 2008-02-20 00:49 434,401 --a------ C:\WINDOWS\system32\tmp0_800732510241.bk
2008-02-19 23:22 . 2003-11-04 15:10 65,536 --a------ C:\WINDOWS\system32\lfeps13n.dll
2008-02-19 23:22 . 2003-05-22 16:31 55,808 --a------ C:\WINDOWS\system32\lfpsd13n.dll
2008-02-19 23:21 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-02-19 23:21 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-02-19 23:21 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-02-19 23:21 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-02-19 23:21 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-02-19 23:21 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-02-19 23:21 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-02-19 23:21 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2008-02-16 14:56 . 2008-02-16 14:56 <DIR> d-------- C:\Program Files\WebSudokuDeluxe
2008-02-16 00:10 . 2008-02-16 00:10 <DIR> d-------- C:\Documents and Settings\sherif compumood\Application Data\vlc
2008-02-15 15:43 . 2008-02-15 15:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-15 15:38 . 2008-02-15 15:38 <DIR> d-------- C:\Program Files\Bonjour
2008-02-15 15:31 . 2008-02-15 15:31 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-02-14 22:41 . 2008-02-14 22:42 4,212 --a------ C:\WINDOWS\system32\acdb.err
2008-02-13 22:26 . 2008-02-13 22:26 <DIR> d-------- C:\Documents and Settings\sherif compumood\Application Data\DivX
2008-02-12 18:19 . 2008-02-12 18:19 <DIR> d--hs---- C:\FOUND.002
2008-02-11 19:41 . 2008-02-11 19:41 32 --a------ C:\WINDOWS\CD_Start.INI
2008-02-05 02:05 . 2008-02-05 02:05 244 --ah----- C:\sqmnoopt00.sqm
2008-02-05 02:05 . 2008-02-05 02:05 232 --ah----- C:\sqmdata00.sqm
2008-02-03 18:22 . 2008-02-03 18:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-03 18:15 . 2008-02-03 18:15 <DIR> d--hs---- C:\FOUND.001

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 21:36 98,304 ----a-w C:\WINDOWS\DUMP124c.tmp
2008-02-02 19:42 --------- d-----w C:\Program Files\Chaos Group
2008-02-01 23:52 --------- d-----w C:\Documents and Settings\sherif compumood\Application Data\McAfee
2008-02-01 16:49 --------- d-----w C:\Program Files\Macromedia
2008-02-01 16:49 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-02-01 16:06 --------- d-----w C:\Program Files\Common Files\ChaosGroup
2008-01-28 00:02 --------- d-----w C:\Documents and Settings\sherif compumood\Application Data\Autodesk
2008-01-27 23:56 --------- d-----w C:\Program Files\turbo squid tentacles
2008-01-27 23:53 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-01-27 23:53 --------- d-----w C:\Program Files\Autodesk
2008-01-27 23:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-01-19 23:55 --------- d-----w C:\Documents and Settings\sherif compumood\Application Data\Nero
2008-01-19 16:56 --------- d-----w C:\Program Files\Nero
2008-01-19 16:56 --------- d-----w C:\Program Files\Common Files\Nero
2008-01-19 16:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-01-19 14:37 --------- d-----w C:\Program Files\Real Alternative
2008-01-19 14:37 --------- d-----w C:\Program Files\Media Player Classic
2008-01-10 12:50 --------- d-----w C:\Documents and Settings\sherif compumood\Application Data\AdobeUM
2008-01-09 15:07 --------- d-----w C:\Documents and Settings\sherif compumood\Application Data\LimeWire
2008-01-09 11:18 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-01-09 11:18 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-01-09 11:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-01-09 11:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-01-09 11:16 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-09 11:16 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-09 11:16 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-09 11:16 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-09 11:16 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-09 11:16 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-08 22:21 --------- d-----w C:\Documents and Settings\sherif compumood\Application Data\Media Player Classic
2008-01-08 22:20 --------- d-----w C:\Program Files\VideoLAN
2008-01-08 21:46 --------- d-----w C:\Documents and Settings\sherif compumood\Application Data\uTorrent
2008-01-08 21:45 --------- d-----w C:\Program Files\uTorrent
2008-01-08 21:43 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-08 21:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-08 15:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-01-08 15:56 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-01-08 15:56 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-08 00:22 --------- d-----w C:\Program Files\Winamp
2008-01-08 00:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-08 00:10 --------- d-----w C:\Documents and Settings\sherif compumood\Application Data\Apple Computer
2008-01-08 00:08 --------- d-----w C:\Program Files\QuickTime
2008-01-08 00:07 --------- d-----w C:\Program Files\Yahoo!
2008-01-07 22:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\MCA38.tmp
2008-01-07 22:15 --------- d-----w C:\Documents and Settings\sherif compumood\Application Data\McAfee.com Personal Firewall
2008-01-07 22:15 --------- d-----w C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
2008-01-07 22:12 --------- d-----w C:\Program Files\McAfee
2008-01-07 22:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
2008-01-07 22:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-07 21:40 --------- d-----w C:\Program Files\Java
2008-01-07 21:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-07 21:25 --------- d-----w C:\Program Files\Common Files\Java
2008-01-07 21:24 --------- d-----w C:\Program Files\LimeWire
2008-01-07 21:22 --------- d-----w C:\Program Files\DivX
2008-01-07 21:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-07 21:10 --------- d-----w C:\Program Files\DAEMON Tools
2008-01-07 21:08 639,224 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-01-07 14:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-07 14:35 --------- d-----w C:\Program Files\Realtek
2008-01-07 14:35 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-07 14:12 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-11 19:44 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 19:44 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-11 19:43 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:07 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35 202024]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-28 14:23 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-04-24 09:20 1448960 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-04 09:59 16206848 C:\WINDOWS\RTHDCPL.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-12 06:51 8523776]
"nwiz"="nwiz.exe" [2007-11-12 06:51 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-11-12 06:51 81920]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 12:48 157592]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51 1836328]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-02-20 00:49 899864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:07 15360]

C:\Documents and Settings\sherif compumood\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"=
"C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-02-20 00:50]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-02-20 00:49]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-02-20 00:49]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-02-20 00:49]
R2 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-02-20 00:49]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-02-20 00:50]
R2 mi-raysat_3dsMax2008_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit;"C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe" [2007-09-24 17:05]
R3 Avgfwdx;Avgfwdx;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-02-20 00:49]
S3 Avgfwfd;AVG network filter service;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-02-20 00:49]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{02916cf8-d675-11dc-9dca-0014853d7e7d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{ff6c399c-d0dc-11dc-9dc2-0014853d7e7d}]
\Shell\AutoRun\command - ylr.exe
\Shell\explore\Command - ylr.exe
\Shell\open\Command - ylr.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-27 17:44:16 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-03-03 16:24:24 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 18:24:48
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2008-03-03 18:25:32 - machine was rebooted [sherif compumood]
ComboFix-quarantined-files.txt 2008-03-03 16:25:30
.
2008-01-08 15:25:45 --- E O F ---

-----------------------------------------------

and thats the HJT log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:38:24 PM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SkyTel.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit (mi-raysat_3dsMax2008_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7849 bytes

----------------------------------------

hey... do u know what is "Bonjour service" ; at every startup the AVG pops telling me if i wd like to grant access for that "Bonjour service" to the internet , but since i dnt know wt it is i choose block . !

thanks

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Solved: remove infected system files ?

Find the solution to your computer problem!

Find the solution to your
computer problem!